History lessons 4: What to do when an anomaly is detected?

David Rogers continues his blog series — commissioned by on-chip monitoring experts UltraSoC (now part of Siemens) examining security through the ages and highlighting lessons for emerging and future technologies.

There are many tales from history where things have been detected that have led to plots being uncovered. Some of this has been driven by prior knowledge, sometimes the actors involved are already under suspicion in some way and in other cases it is pure chance and luck.

Guy Fawkes
Source: Edgar Wilson “Bill” Nye (1850-1896 [Public domain]

The gunpowder plot to blow up England’s parliament in 1605 was ultimately discovered because of a message to a Catholic parliamentarian warning him to stay away from the opening of parliament on November 5th. It was dismissed as a hoax at the time, but the King’s suspicions were raised and he instigated searches of parliament, increasing security. On the night of November 4th, Guy Fawkes was discovered and caught as he was leaving the place where he had stored the gunpowder underneath parliament. It appears that this was genuinely an artefact of the increased vigilance, as a few days before, Guy Fawkes had reported to his co-conspirators that “he found his ‘private marks’ all undisturbed” at the site where the gunpowder was stored. This seems to indicate that Guy Fawkes had taken his own precautions against the discovery and potential sabotage of the plot.

Another interesting story of discovery and detection is the Babington plot against Queen Elizabeth I. Queen Elizabeth’s spymaster, Francis Walsingham, discovered that a group of Catholic plotters led by a man called Anthony Babington were communicating with Mary Queen of Scots in order to depose Elizabeth and put Mary on the English throne. Walsingham first used an agent to change and control the channel by which Mary was communicating, ensuring that messages to and from her were hidden in the corks of beer barrels. This allowed him to have them intercepted and deciphered. The plot was allowed to continue, while Walsingham waited and gathered further evidence through the letters.

In the technology space, detection and response mechanisms exist on the network side mainly. Network traffic analysis tools are now backed by AI and machine learning techniques. The techniques for handling large volumes of network traffic and processing this at scale to discover anomalies have come a long way but are yet to really properly take into account what is going on with the end points and certainly not the innards of them to a chip level.

Attackers already have a variety of ways to evade detection, having fought a cat-and-mouse game for many years. Intrusion detection and anti-virus systems often whitelist domains – so if an attacker is exfiltrating data through a legitimate service – Amazon AWS, or Google for example, it may be that a compromise is never detected. Equally, modern malware often protects its command and control channels by using encryption, a logical thing to do given that many enterprises and tools will be looking for maliciousness within traffic. Another factor is that the barriers to entry have been lowered significantly through free encryption certificate issuing services such as Let’s Encrypt. For a defender, deciding exactly what to look for is driven by external factors and intelligence feeding into systems that look for anomalies.

If something is infiltrated into a device it may also never exfiltrate its data out over a corporate IP-connected network and may never need to connect to a command and control server that way. There are now a multitude of connection types available to devices and many of these will both leave and not be in control of the business. Bluetooth, low-power radio networks and mobile radio connections could all be used at the right time to move data from a compromised device.

Of course the attacker may not want to take any data at all, they might just want to compromise as many devices as possible and lie in wait to turn on some form of destructive attack at a later date, such as a Distributed Denial of Service, ransomware or wiper-style deletion attack.

All of these types of compromise point to the need to have additional intelligence from devices themselves rather than just relying on the network traffic and there is no better place to do this than the foundations of the device itself, inside the hardware.

No matter where anomaly and intrusion detection are taking place, false positives are always going to be a problem and a risk. They could cause a defender to become fatigued with the number of alerts they are getting or to misplace resources. For safety critical systems, taking the wrong action on a security anomaly could create an unsafe situation for a system’s users.

What if the attacker deliberately behaves in a way that causes the system to do something?

Sophisticated attacks may seek to trigger false positives. Bruce Schneier’s book ‘Secrets and Lies’ talks about Mujahedeen attacks on Soviet bases in 1980s Afghanistan, where fence sensors would deliberately be triggered by throwing a rabbit near them. By doing this repeatedly, eventually the sensors would be turned off and next thing there would be a vehicle through the fence.

One could imagine this happening against monitoring at a low level in devices and the trick to dealing with this is to resist the temptation to take immediate action. Events should be appropriately assessed and systems designed in such a way that they do not tip-off or alert the attacker that the system is aware of anything out of the ordinary happening. This in the long-term also allows the defender to potentially gather intelligence on the attacker for later attribution efforts or for forensic purposes. Deciding exactly when to take action relies on taking a measured approach to whether damage or harm is going to be caused. This may be a human decision, but it may also be automated, so making sure the right decision is made is paramount.

‘Babington with his Complices in St. Giles Fields’, 1586
(Public domain)

In the Babington plot, Walsingham even manipulated Mary’s communications, adding text to a letter from her, requesting that the conspirators were named. This caused Babington to reveal their names, leading to the unravelling of the plot.

Manipulating attacker traffic in a system to send back false data or to lead the attacker into blind traps is much more sophisticated and a potentially risky operation, but could be possible, with the defender significantly regaining the initiative over an attacker.

In the case of Mary Queen of Scots, Walsingham waited until exactly the right moment to trap her having taken control of the situation to this point. The evidence in the end was so damning that it caused the linguist who deciphered her messages to draw a gallows on the letter before he passed it to Walsingham.


For more on how historical security measures and failures can help instruct the future of security design for hardware in connected devices, check out the webinar (co-hosted by UltraSoC CSO Aileen Ryan and Copper Horse founder and CEO David Rogers) accompanying this series of blog posts.

Next blog post in the series >> 5/5 The game of defence and attack

Previous blog post in the series << 3/5 Confusing the guards and what it means for future hardware chip design

About the author

David Rogers is Founder and CEO at Copper Horse.

Mapping IoT Security and Privacy Recommendations and Guidance

 

The UK’s work on consumer IoT security and privacy, led by the Department for Digital, Culture, Media & Sport (DCMS) has been continuing since the publication of its work on Secure by Design and the Code of Practice for Consumer IoT Security went out for public comment in March 2018. Our team has been working on mapping IoT security and privacy guidance to the Code of Practice and we’re now launching https://iotsecuritymapping.uk to support the initiative, including hosting open data files with all the various mappings contained within.

 

 

We believe this is going to be really helpful for so many companies and organisations involved in IoT. It will help to defragment the standards space and it will help companies to understand how to improve security by telling them which recommendations facilitate implementation of the UK’s Code of Practice.

 

You can read our CEO’s blog on this topic here.

What are your devices saying about you?

 

In our recent blog, Ryan Ng wrote about new Smart Home connected devices being developed and sold in 2018. There are many new and innovative ways to improve our lives using technology appearing in stores and on crowd funding platforms such as Kickstarter every day. The majority of these devices interact with mobile apps, whether they are sending notifications or allow the user to control functionality, these devices often require a hub to connect the devices to the wider internet. Smart speakers and thermostats are now being used as hubs to connect other smart home appliances. Many of these devices, such as a PIR or door open/close sensors, are running on coin cell batteries which are expected to last multiple years and for this they need to use a low powered radio network to communicate with their hub. The Bluetooth and Zigbee radio protocols are widely used in this area with well-defined standards and optimisation of power usage  to maximise battery life.

 

We thought it would be interesting to buy some tools and see what data we could capture.

 

Bluetooth and Bluetooth Low Energy (which is a subset of Bluetooth 4.0) are maintained by the Bluetooth Special Interest Group and runs on 2.4 GHz. Bluetooth Low Energy was designed to provide much reduced comms and power drain whilst offering a similar range of communication.

 

We purchased an Ubertooth One from Greatscottgadgets.

 

 

 

 

The Ubertooth One is “an open source 2.4 GHz wireless development platform suitable for Bluetooth experimentation”. The device allows us to promiscuously sniff packets of Bluetooth data using a tool such as Wireshark, but something we found much more interesting is the open source project BlueHydra available on GitHub. BlueHydra is a Bluetooth discovery service built on top of BlueZ, the official Linux Bluetooth stack. Using these tools allows us to track Bluetooth devices as they pass by with BlueHydra showing us how often the devices are in our vicinity, how close and in many cases who the manufacturer of the device is. Devices can be detected even when Bluetooth is not in discoverable mode!

 

 

 

 

Functionality can be further extended with simple python scripts such as ble_finder.py written by Troy Brown and Garrett Gee which allows you to create a list Bluetooth devices to be monitored and will alert you when a device is detected in close proximity to the Ubertooth One.

 

We also purchased a Zigbee packet analyser a few years ago for a project before Zigbee became so popular in Smart Home systems. Based on IEEE 802.15.4, Zigbee is a low powered radio standard developed and maintained by the Zigbee Alliance with most devices running at 2.4 GHz, with some other regional frequencies available (784 MHz in China, 868 MHz in Europe and 915 MHz in the USA and Australia).

 

 

 

 

The device was manufactured by Freescale although they merged with NXP  in 2015. The analyser we’re using is a NXP USB-KW24D512 using this device, the Kinetis Protocol Analyser Adapter software provided by NXP and Wireshark, we’ve captured data packets being communicated between Amazon Echo Plus and Phillips Hue smart light bulbs and also Samsung Smart Things communicating with sensors. Although this data is encrypted, it does allow us to scan for Zigbee based Smart Home devices around us and as all devices are allocated their own Device Network ID, so we can see how many devices someone has in their home.

 

 

 

In Zigbee, the protocol is designed to not leak information beyond the initial pairing process. This prevents arbitrary traffic analysis. In Bluetooth, however, when a device communicates with another device e.g. a fitbit with a phone, the traffic can be observed, which gives at the very least metadata about user habits such as what time they get up in a morning. This is not good for user privacy.

New Smart Home Technology in 2018

 

Copper Horse’s Ryan Ng takes a look at some of the smart home technology that has taken in his interest in the first part of the year.

 

A few months into 2018 and we are already seeing a lot of new smart home technology, some of which are great ideas and useful devices, but others which are questionable.

 

To kick-start this year we had the Consumer Electronics Show (CES) in January where lots of new products and concepts were shown off. This included all kinds of tech including cars, TVs, and of course smart home devices. A noticeable trend in a lot of the devices announced is that they are providing support for two of the biggest smart home competitors, Amazon and Google. Providing Alexa and Google Assistant support allows these products to be better integrated into customers’ homes for those who already own an Amazon Echo or Google Home speaker, so they can control their devices via voice commands.

 

Another big event which took place this year was Mobile World Congress (MWC) which happened at the end of February. This event not only showed off a load of new smartphones, but it also again showed off a wide range of other technologies including smart home devices.

 

Whilst smart home devices are constantly improving, many are still insecure. Copper Horse provides training for all levels of expertise in designing and implementing security in smart home and Internet of Things products. Our next training course will be in Barcelona in May.

 

Here are some of the latest smart home devices shown off at these events that took my interest:

 

Lenovo Smart Display with Google Assistant

 

Google has teamed up with Lenovo to create a new product to compete with the Amazon Echo Show which was released in 2017. This smart display is essentially a Google Home speaker with an 8” or 10” display (depending on the model) attached to visually show information when asked. The Smart Display can also be used to perform video calls via the Google Duo application. It is very similar to Amazon’s Echo Show product and it remains to be seen whether users will take to this or prefer a voice-only product.

 

 

Samsung Family Hub Refrigerator

 

Samsung showed off its latest smart fridge powered by its virtual assistant Bixby. This refrigerator also acts as a SmartThings hub for all SmartThings enabled home automation devices. It has a huge touch display on the door which allows users to see inside the fridge using internal cameras, make shopping lists, play games, check the weather and more.

 

 

 

Smart Shower System Livin

 

A team from Fitbit and Foxconn have developed a new product in the smart home market called Livin. This is a smart shower system designed to minimise water waste and can be installed within 15 minutes. It features precise temperature controls via a smartphone that allows you to preheat the water before turning the shower on. It also features smart lighting and music playback with a knob for in-shower temperature and music controls.

 

 

 

Laundroid Laundry-Folding Robot

 

A Japanese company called Seven Dreamers showcased their latest model of Laundroid, a product which uses artificial intelligence to sort and fold your clothes. This is one of the more questionable products shown off as I do not expect the average consumer to spend $16,000 on a machine to fold and sort their clothes.

 

 

 

The new smart home technology featured above is only a small selection of products which have recently been announced and there will be many more to come in this year alone. It remains to be seen how successful or secure they’ll be, or most importantly, how useful.

 

How the UK’s Code of Practice on IoT security would have prevented Mirai

 

The UK’s report on Secure by Design was released today after a significant amount of work from some of the best minds in government, academia and industry. This is one of the first major steps in the world by a government towards eliminating some of the bad practices that have plagued connected devices and services for many years.

 

 

 

Copper Horse’s CEO, David Rogers was the author of the UK’s Code of Practice for Security in Consumer IoT and services as part of its report on Secure by Design, in collaboration with DCMS, the NCSC, industry and academia. Here, David discusses how one of the major attacks on IoT, a botnet called Mirai, would have been prevented and its successors neutralised.

 

Security of devices and services is never just about one single measure. By building strength-in-depth, an attacker will find it extremely difficult to execute a successful, persistent attack that can affect millions of IoT devices.

 

Taking the infamous IoT botnet Mirai as an example, the Code of Practice provides multiple layers of protection against this attack, including the following:

 

1. Elimination of default passwords (guideline number 1) – Mirai used a list of 61 known default username and password combinations, encompassing millions of devices. Had these passwords been unique Mirai could not have worked.
2. Software updates (guideline number 3) – Many of the Mirai devices either were out-of-date with their patching or simply couldn’t be patched at all. This means that the spread of Mirai could not easily be halted. Had software patching been in place, devices could both be immunised and fixed. Most importantly, regular patching also protects against future variants of attack that exploit other vulnerabilities, neutralising their effect.
3. By following guideline number 6 in the Code of Practice on “Minimising exposed attack surfaces”, vendors would have prevented Mirai because the port it used to attack the devices would have been closed and therefore inaccessible. This is a good demonstration of the principle of “secure by design”.
4. Ensuring software integrity (guideline number 7) would have prevented arbitrary, remote code execution and support preventing things like authentication bypass issues. With no access to run code even if Mirai could have accessed a device, it couldn’t have done anything.
5. Designing a system to be resilient to outages (guideline number 9) means that if it is the victim of an attack like Mirai, key services will continue to operate, severely limiting the effect of the attack until it is dealt with.
6. Having a vulnerability disclosure policy (guideline number 2) allows these types of issues to be reported to vendors by security researchers and then subsequently addressed, prior to malicious exploitation. We want to ensure that vendors get the information about vulnerabilities from the good guys first.

 

You can see that design measures, if implemented can create the foundations that will reduce exposure to such attacks, allow pre-emptive protection for products once an attack is out in the wild and allow a response to an attack that is ongoing, whilst keeping users secure.

 

Security is a very difficult subject and there is no panacea to the security of devices, given that you are almost always dealing with an active adversary (sometimes clever automation in the form of AI and machine learning). This is why like many, I believe that the topic of security is more art than science.

 

In approaching this piece of work, we never set out to achieve a remedy for all ills because it simply isn’t possible. What we did do was take a long hard look at what the real problems are and what solutions need to be in place. Industry has already come a long way; a lot of vendors and service providers are doing a huge amount to make things more secure. Just look at the work of GSMA’s IoT guidelines which is now being adopted across the world, or the work of the IoT Security Foundation, or any of the following.

 

There are still a lot of vendors and startups who need a guiding hand or who wilfully ignore security for various reasons. This includes mobile applications controlling IoT devices which are often over-permissioned or which don’t implement internet encryption correctly. We looked at measurable outcomes. How would a retailer be able to check whether something was insecure? What things are easily testable by a consumer group? If someone tries to put something into a major retail outlet that is insecure, could it be caught before it was sold? In the future, would an organisation like Trading Standards be able to identify insecure devices easily? My own view is that we should be able to flush out the bad stuff from the system whilst encouraging innovation and enabling businesses to make IoT that is secure, privacy respecting and convenient for users.

 

Additional thoughts are on David’s blog: A Code of Practice for Security in Consumer IoT Products and Services

 

 

Exhibiting at Mobile World Congress 2016 – Stand 7C70e

20150228_134027

We are excited to announce that Copper Horse will be exhibiting at Mobile World Congress 2016 at the Grand FIRA in Barcelona 22-25 February 2016. Come and visit us in Hall 7 at Stand 7C70e. We will have some fun challenges on our stand including the chance to try your hand at lock picking. We will also be demonstrating the intelligent door, part of the Motion Project, allowing the monitoring of very distinct data points while allowing you full control of your privacy. Here at Copper Horse, we firmly believe that you are not the product.

 

You’ll find us at a number of events on-site including running the UKTI Cyber Security in the Mobile World sessions at lunchtimes on Monday 22nd (Connected Car Security)Tuesday 23rd (Future Network Security) and Wednesday 24th (Cyber Security in IoT) on stand 7C40 as well as speaking in the main conference on Thursday 25th. Monday the 22nd evening sees the “Dark and Stormy – The Cyber Happy Hour” from 17:15 onwards which will include drinks, food and some amazing Pecha Kucha talks. Our CEO, David Rogers will be MC’ing the event. We encourage you to come along to the cyber sessions as they’re all good learning opportunities as well as good for networking with other security professionals and experts. For all the UKTI events, just turn up to the UKTI stand 7C40 and try to get there early as the seats fill up fast.

 

We will also be hosting our invitation only, annual security dinner on the Sunday at a secret location in Barcelona.

 

Copper Horse is a UK based mobile systems security consultancy and solutions provider. The company provides world-leading security expertise on mobile and connected devices. The organisation is currently focused on advising clients on Internet of Things security threats, strategies and solutions as well as developing a security-focused IoT product through the company’s “Motion Project”. The company will focus on a consumer-focused IoT security strategy in 2016 with the theme of “You are not the product”.

 

If you’re interested in working with us, here are some of the services we provide:

 

• Security threat and risk analysis, strategies and solutions
• Internet of Things solutions development (security, software, hardware)
• Mobile handset security expertise (throughout the stack from hardware to browser)
• Incident handling and responsible disclosure expertise
• Smart Home security consultancy
• Connected Car security consultancy
• Small cells security
• Bespoke security and anti-fraud solutions development (including software and hardware)
• Standards consultancy
• Specialist investigations and product/market threat and risk analysis
• Technology horizon scanning

 

We look forward to meeting you in Barcelona!

 

 

Note: This blog was edited to add more details and events on the 10/02/16.

Security Threats to IoT

 

Our CEO, David Rogers recently presented at Bletchley Park on some of the security issues facing IoT as part of the NMI IoT Security Summit. If you’re interested in the future of IoT security, the future connected world, including connected living, smart cities and automotive feel free to get in contact and have a chat with us.

 

 

The Quandaries of Headless IoT Device Provisioning

 

Copper Horse’s Mobile Security Intern, April Baracho discusses challenges and methods of setting up secure and usable associations for IoT devices that have no visible user interface.

IoT

 

We are living in a world that is getting to be increasingly interconnected, an environment best described as the ‘Internet of Things’. Central to the existence and proliferation of the IoT is the automation of mundane tasks. This in turn depends on the ability of devices to communicate with each other with minimal human interaction. In order to achieve this, any device joining the network needs to be enrolled onto it. Enrolment of an IoT device is its initiation into the grid of interconnected devices. This is achieved by the secure exchange of credentials between the device and the network.

 

Connecting devices such as a laptop or a smartphone to a network is something most of us do on a regular basis. (often gullibly without batting an eyelid!) Provisioning IoT devices, on the other hand, is a whole other ball game. The main challenge is that most IoT devices are equipped with either a rudimentary user interface or in some cases no UI at all. While the secure bootstrapping of devices such as these is challenging, there are several ways in which this can be achieved.

 

A review of the big players in the IoT space demonstrates that most headless devices in the market today use a laptop or a palm-held device as an extended user interface allowing for effective monitoring and management of the IoT device. A thermostat with only a display could  flash a string the first time it is powered on, allowing a user to key in that string into the application. Similarly, a device with a series of LEDs could blink a ‘key’ that could be entered into the smartphone app, linking the device and smartphone app together in a verified association.

 

Out of band provisioning methods such as NFC and Bluetooth are also common place. A headless device such as the FitBit fitness tracker uses Bluetooth Low Energy (BLE) to enrol with the smartphone application and thereafter the rest of the home Wi-Fi network. Updates to the WI-Fi Alliance certification program enables two Wi-Fi devices with NFC tags to connect to each other and the local Wi-Fi network by tapping them together.

 

Other methods used to connect headless IoT devices to a Wi-Fi network include the PIN method and Push-Button Connect (PBC) method for Wi-Fi Protected Setup (WPS) enabled devices and access points. An obvious setback of the PIN method in this scenario is that both the access point and the headless device do not have a keypad for the PIN to be entered. While the PBC method seems to be just a bit more effective in provisioning headless devices, it suffers from security issues such as a two minute window that allows any WPS enabled device to join the network once the button on the access point (hub) is pushed. Further security flaws in the WPS design such as a vulnerability of the PIN method to brute force attacks have since been found.

 

PKI for the Internet of Things

Enrolment of an IoT device, although a task in itself, only connects a device to the local network. It does not provide for the secure mutual verification of device identity. The setup of secure associations between devices is typically achieved by certificate exchange carried out via key agreement protocols. While it should be relatively straight-forward to use a PKI framework for certificate exchange, there are some issues relating to scalability and device capability when it comes to considering the use of PKI in the IoT space.

 

The sheer number of IoT devices that are connected to the internet everyday means that the scaled use of PKI in facilitating mutual authentication is debatable. Furthermore, IoT devices are typically resource constrained and do not possess computationally intensive processing capabilities. The storage of certificates and the processing capabilities associated with encryption and the setting up of handshakes to establish secure communications all require capabilities far beyond a typical resource constrained device in the internet of things. Add to this the issue of scaled secure credential generation for the IoT and it is clear that a lot needs to be done to make the use of a PKI framework in the IoT a possibility and a reality.

 

Copper Horse Mobile Security Dinner – Mobile World Congress 2014

Another year and we’re back again. This year’s Copper Horse security dinner will take place as usual at a secret location in Barcelona on the 23rd of February. With some of the world’s leading minds in mobile security present, it’s the hottest ticket for Sunday night. Contact us if you’d like to attend, there’s a limited number of places. As always, we split the bill at the end.

 

london
This is far too early for the dinner and in the wrong location…